Pages

Wednesday, December 15, 2010

We have reverse engineered the opt in bot net malware (LOIC)

We have reverse engineered the opt in bot net malware (LOIC) and have been briefing our large global online presences on this particular threat as we provide ongoing threat alerts and briefings as part of our service.

As as sign of good will and information sharing, we are available to brief you as well - perhaps there will be some valuable data that could be of use to your organisation.

Feel free to get in touch to arrange a date and time.

How was it that a loosely-coupled group of cyber-protestors could launch -- with varying degrees of success -- targeted distributed denial-of-service (DDoS) attacks against sites such as MasterCard, PayPal, PostFinance, and the website belonging to a Swedish prosecutor?
Turns out it's quite simple. All an attacker need do is download the open source network stress testing tool known as LOIC (the Low Orbit Ion Cannon) that is widely available. Launching an attack with LOIC is mind-numbingly easy: just point and shoot. LOIC will then flood the target with HTTP requests, UDP and TCP packets.

Those participating in the pro-Wikileaks riots could operate on their own, or choose to connect their system to the "LOIC Hivemind" voluntary botnet that is centrally controlled by those behind Operation Payback.
Since the launch of the attacks, LOIC has been downloaded nearly 70,000 times.
Cyber protestors engaging in digital rioting such as web-site defacements, and denial-of-service attacks, and even inserting messages in malware have existed for some time. Such attacks being highly connected isn't new, either. They have been socializing on message boards and instantly communicating in Internet Relay Chat for many years.
What is new is the ease of which a tool such as LOIC can be put into action. "LOIC is extremely easy to use. It is designed so someone with little or no technical knowledge can quickly download and install it, and participate in DDoS activities," said Alex Cox, principal analyst at security firm NetWitness. "It also has the ability to be remotely controlled by a central IRC server, so that more technically competent operators can direct attacks en masse at targets, regardless of the participant's technical knowledge."
"There is a false belief that we are fending off casual attackers," said Joshua Corman, research director, enterprise security at the 451 Group. "However, I don't think the casual attacker exists any more. Just consider how powerful tools like Metasploit have become. There's also the malware kits that make obfuscating malware or building botnets trivial. You don't need to know anything to launch a successful attack anymore," said Corman.
Anyone on the receiving end of a LOIC packet burst would be sure to agree, and how technically savvy the attacker happens to be is made mute by the ease and power of the attack.
Cox agrees: "The attacker landscape is moving more toward "point-and-click" attack and exploitation tools. This is reflected in the many crimeware systems available in the underground, which includes DDOS, do-it-yourself botnet kits (Zeus, Spyeye, and many others) as well as exploit kits," he said. "In the past you had to have a certain amount of technical skill to participate, but now anyone can."
For security practitioners the big story within the pro-Wikileak and LOIC attacks may not have much to do about Wikileaks and the legalities or the politics of it all -- and everything to do about how swiftly, and easily, online attackers can be called into action against any target they wish.